AWS Reference Deployment Guide

Building a Mesh Cloud Network for AWS VPCs and Datacenter

Aviatrix Systems provides the next generation cloud networking solution built from the ground up for the public cloud. Aviatrix simplifies the way you enable site to cloud, user to cloud and cloud to cloud secure connectivity and access. The solution requires no new hardware and deploys in minutes.

Aviatrix CloudN is a virtual appliance deployed in datacenter. Datacenter Extension is a unique technology on CloudN. It manages your public cloud address space and allows rapid scaling of AWS Virtual Private Cloud (VPC) by removing the pain point of building secure connections to the VPCs.

How it Works

Mix Layer 2 and Layer 3 Technologies

CloudN uses a mixed Layer 2 and Layer 3 technologies whereas the CloudN virtual appliance behaves as a Layer 2 bridge and Gateway (launched by CloudN at VPC creation time) behaves as a Layer 3 router. The design of CloudN as a Layer 2 bridge makes it possible to build an overlay IPSec tunnel to AWS VPC without involving edge routers in the network. The design of Gateways as a Layer 3 router makes it possible for the VPC to fully utilize all AWS VPC underlying infrastructures and services without requiring any software agent reside in any of the instances.

Instances within the VPC communicate with each other directly and transparently without involvement of Gateway. From the user’s perspective, what CloudN creates is a standard VPC.

CloudN views each VPC as the smallest autonomous environment, it allows you to create security policies to deny any subnet or hosts on premise to access any VPC. For example, you may want to block developers from accessing production VPC. By default, inter-VPC communication is blocked. By using VPC/VNet peering capability, you can establish direct secure tunnels among VPC in the same region or across different regions.

Enterprise users can access instances seamlessly in all private and public subnets over the secure tunnel using instance private addresses. All instances on private subnets can reach back to enterprise. Optionally packets from instances on private subnets can reach Internet directly without being first sent back to the enterprise.

Dividing Subnets

CloudN works by dividing the subnet where cloudN is deployed into sub segments (or smaller subnets). The VPC CIDRs created by cloudN are one of the sub segments. The mechanism is illustrated below. VPC in the below diagram could be replaced with a VNet.

Where a local subnet 10.16.0.0/16 has a default gateway 10.16.0.1. The subnet is divided into 4 sub segments. The default gateway and CloudN IP address fall into one segment. The rest of each segment is mapped to a VPC CIDR, in this case, the VPC CIDRs are 10.16.32.0/19, 10.16.64.0/19 and 10.16.96.0/19. If this subnet 10.16.0.0/16 is reachable from other network in the enterprise, then the instances inside each VPC takes private IP address as if they are on the local subnet 10.16.0.0/16. For users in the enterprise, it is as if they are communicating with hosts on the local network.

Pre Configuration Checklist

1. AWS EC2 Account

You need to have an AWS account to use most of the commands on CloudN. Note that CloudN support multiple cloud accounts with each one associated with a different AWS IAM account, but there needs to be at least one to start with.

2. Plan Cloud Address Space

CloudN manages your cloud address space. Carve out an unused consective network address space in your datacenter. The CIDR block of this address can be determined by how many VPCs you will need and how big the address space you can allocate. For example, a CIDR block with /16 address range can create as many as 254 VPCs.

Once you have created all the VPCs from the allocated address space, you can always allocate a new address space and launch a new CloudN virtual appliance.

3. Deploy the Aviatrix CloudN Virtual Appliance

Reference the startup guide to deploy the virtual appliance.

Check and make sure you can access the Aviatrix Controller dashboard and login with an admin account. The default URL for the Aviatrix Controller is:

https://<Private IP address of Aviatrix Controller>

Configuration Steps

1. Onboarding and create a cloud account

Upon login to the controller for the first time, follow the onboarding process to create a cloud account that corresponding to an AWS IAM account. Aviatrix CloudN uses the account IAM credential to execute AWS REST APIs to create VPC and necessary resources.

2. Create a VPC and build an encrypted tunnel

After going through onboarding steps, click Datacenter Extension. Provide a name for the VPC you are about to create, select an AWS region, and click Launch. In a few minutes of time, a VPC, public subnet and private subnet in each AZ of the selected region, IGW and routing tables will be created; an Aviatrix Gateway will be launched and an encrypted tunnel will be created.

You then can launch instances in the VPC and access the instances by their private IP addresses.

Appendices

Terminating on VGW

The Aviatrix transit VPC solution also supports terminating on AWS VGWs in the spoke VPC. In this case, the AWS VGWs must be manually setup in each spoke VPC.

AWS Support

AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.